TlsRMIClientSocketFactory and TlsRMIServerSocketFactory
socket creation methods authenticate as a single Principal
if the following items are present in the Subject
at the time of socket creation for the establishment of secure connections and
control access to the Registry to secure Phoenix
Activation when:
One or more principals of type X500Principal
For each principal, one or more certificate chains, stored as
public credentials, and represented by instances of CertPath, whose getType method
returns "X.509", and for which calling getSubjectDN on
the certificate chain's first element returns that principal's name
For each certificate chain, an instance of X500PrivateCredential, stored as a
private credential, whose getCertificate method
returns a value equal to the first element of the certificate
chain, and whose getPrivateKey method returns the
associated private key
These RMISocketFactory's are not for use as standard JRMP Endpoint's,
they are final and not Serializable.See: Description
| Class | Description |
|---|---|
| TlsRMIClientSocketFactory | |
| TlsRMIServerSocketFactory |
TlsRMIClientSocketFactory and TlsRMIServerSocketFactory
socket creation methods authenticate as a single Principal
if the following items are present in the Subject
at the time of socket creation for the establishment of secure connections and
control access to the Registry to secure Phoenix
Activation when:
X500Principal
CertPath, whose getType method
returns "X.509", and for which calling getSubjectDN on
the certificate chain's first element returns that principal's name
X500PrivateCredential, stored as a
private credential, whose getCertificate method
returns a value equal to the first element of the certificate
chain, and whose getPrivateKey method returns the
associated private key
These RMISocketFactory's are not for use as standard JRMP Endpoint's,
they are final and not Serializable.
These have been designed to secure the Registry, for
Phoenix's configuration options and parameters to LocateRegistry
methods.
These secure sockets require client authentication, anonymous client authentication
is vulnerable to deserialization gadget attacks.
Invocations by the client on the server endpoint will not be populated the
server's thread with the client's subject.
The JSSE documentation also describes the system
properties for configuring the location, type, and password of the
truststore that the SocketFactory's use, through JSSE, to make decisions about
what certificate chains should be trusted.
Copyright © 2016–2018. All rights reserved.